From: Eric Paris <eparis@redhat.com>
To: Anton Blanchard <anton@samba.org>
Cc: Michael Neuling <mikey@neuling.org>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH] audit: speedup for syscalls when auditing is disabled
Date: Fri, 27 Aug 2010 13:49:15 -0400 [thread overview]
Message-ID: <1282931355.3284.84.camel@dhcp231-106.rdu.redhat.com> (raw)
In-Reply-To: <20100826033456.GB17882@kryten>
On Thu, 2010-08-26 at 13:34 +1000, Anton Blanchard wrote:
> Hi Eric,
>
> Here's another approach Mikey and I were discussing. We allocate the
> tsk->audit_context as before, but we avoid setting the TIF_SYSCALL_AUDIT until
> the first rule gets added.
>
> We could look at clearing the flag when the rules go back to zero, but this
> simple patch covers the most common case I think.
It just dawned on me where we are going to have problems. We have
things other than syscall filter rules that can cause us to want the
collected audit info. Namely SELinux (or other LSM) denials.
Crap.
So the change in audit_alloc() should probably be conditionalized on
more than just audit_n_rules(). Not exactly sure what that is though.
It might also make our syscall entry/exit speedups not as great of an
idea as I thought. I need to look for other audit users to see how
these things are oging to affect them :(
-Eric
next prev parent reply other threads:[~2010-08-27 17:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-20 2:13 [PATCH] audit: speedup for syscalls when auditing is disabled Michael Neuling
2010-08-23 17:56 ` Eric Paris
2010-08-24 2:11 ` Michael Neuling
2010-08-24 3:43 ` Eric Paris
2010-08-24 5:56 ` Michael Neuling
2010-08-24 5:56 ` Michael Neuling
2010-08-24 20:06 ` Eric Paris
2010-08-24 15:14 ` Miloslav Trmac
2010-08-24 15:17 ` Eric Paris
2010-08-25 3:11 ` Michael Neuling
2010-08-25 11:59 ` Eric Paris
2010-08-26 3:34 ` Anton Blanchard
2010-08-27 17:49 ` Eric Paris [this message]
2010-08-24 2:16 ` Anton Blanchard
2010-08-24 3:51 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1282931355.3284.84.camel@dhcp231-106.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=anton@samba.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mikey@neuling.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox